...review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management procedures, remote device protection, and transmission of EPHI (Electronic...
Words: 1045 - Pages: 5
...review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management procedures, remote device protection, and transmission of EPHI (Electronic...
Words: 1042 - Pages: 5
...sets the guidelines of an organization’s approach to security. The policy varies from a plan, in that a plan is a call to action, while a policy defines the goals of the plan. 2.0 Acceptable use Policy Global Distribution’s network administrator plans to provide a reasonable level of privacy to it users, but all users must note that all data that is created on the corporate WAN and remote facilities (warehouses) is property of GDI (SANS Institute, 2006). In order to protect the network of GDI, any information or data stored on company devices are subject to management monitoring and therefore confidentiality cannot be guaranteed. An audit of the network can be conducted at anytime to ensure that users are in compliance with policies. It is requires that all employees understand that they are responsible for exercising good judgment when using company devices for personal use. “The user interface for information contained on Internet/Intranet/Extranet or related systems should be classified as either confidential or not confidential” (SANS Institute, 2006). Confidential information of GDI would include but not limited to: email routing, financial functions,...
Words: 2146 - Pages: 9
...regarding my recommendations to the company about deploying a SAN at each branch office, since each office uses data, audio, video and graphic files that are shared by staff at each location. The SAN may incorporate NAS devices which we have evaluated with different vendors. As we conducted a further research in order to provide you with more detail specifications on SAN and NAS solutions, we were able to come up with the following information design in a form of questions and answers. What is required to implement a SAN and /or NAS? Storage-area networks (SANs) are composed of computers and remote storage devices. The computers are typically connected to the remote storage devices using SCSI over Fibre Channel (see Figure 1). Other implementations of SAN exist, but this is the most common. In a SAN, all the storage appears local, just as if the remote disk were directly connected to the computer and physically located inside the computer chassis. Network-attached storage (NAS) devices appear to the user as a remote drive letter or are named remote storage device. Typically, the operating system employs a protocol such as Network File System (NFS) or Common Internet File System (CIFS) to discover, log in, and transfer content to and from a storage device. NFS and CIFS both communicate over Ethernet. The user typically enters a username and password, and then is granted access to a particular device. Figure 1. SAN and NAS use different protocols and transports. Click here to...
Words: 7132 - Pages: 29
...Task 1 Heart Healthy Information Security Policy: A. 1. The policy for information security has two different sections – first is managing passwords and second is new user policy. They are discussed in detail as below: New Users: When a new user enters the organization, depending upon the roles and responsibilities assigned to the person, he will be given corresponding access rights. With the help of these access rights the person would be able to access the required files and data necessary for his tasks. When these access rights are assigned the user should sign a document, which will list his roles and responsibilities. This document will be co-signed by his supervisor as an agreement. If a user requires elevation in privileges, he will need to get permission from the respecting manager. When new people join organization they will be taken through an orientation program which will give information on security policies, work culture, work place, information security practices etc. Besides orientation program the users will also be trained on topics like remote device protection, password management, content management, file downloads, access levels and its importance and acceptable use of internet and email. These trainings will be mandated for all the new users and after completion of training this will be documented and stored. As per HIPAA guidelines unless all these mandatory trainings are completed they are not given access to the company data and records (HIPAA...
Words: 1304 - Pages: 6
...lacking in their physical and technical web security. Before any technical measures can be taken, physical measures should be considered. A big concern is where machines are located. The servers at San Jose and China are data centers and therefore need to be well protected. They should be in a locked fireproof room with authorized access only. Also, have a fire suppression and temperature controlled system. The servers at Albany and Pontiac should have the care, but at least be in a locked room away from the public to avoid accidents. All computers should be in an office or room that can be locked. Laptops should have cable locked or locked in a drawer when not in use. Printers should also be in a lockable room. Any research and design machines need to be in a separate part of San Jose building with special access and the servers need to have their own room. All the cyber security in the world could not stop someone from walking up to a machine and downloading the data. Next, to have a digital system the proper hardware needs to be in place. Riordan already has hardware, but the majority of it is out-of-date. To start, all hubs will be replaced with switches, they are to say smarter. The existing switches will be replaced with newer ones. The routers need to be updated as well. The San Jose and China servers are not that old, but may need to be updated based how they handle the new cyber security measures. Albany and Pontiac...
Words: 644 - Pages: 3
...16 Backup 17 Physical Security 18 Enforcement 20 Appendix 22 References 23 Abstract This paper describes the security policy of a fictitious company called Pixel Inc. The Pixel Inc. is a small business with nearly 100 employees with business focus on multi-media. Due to the nature of business, the company uses varying operating systems such as windows, Mac and Linux systems wired over a gigabit Ethernet networking. The security policy focuses on the securing intellectual property on storage and transportation. The usage policies are also devised for desktops and devices. Purpose The information security is crucial for Pixel Inc. to secure its information technology assets. The security is expected to provide protection from unauthorized access of its intellectual properties, system assets, network equipment’s, customer data and business system information. The policy described here is for implementing security practices across Pixel Inc. in everyday use of the information technology assets. Scope The scope of this security policy is limited to securing information technology assets and the physical locations where such systems are used and hosted. The policy considers the threat from both internal and external to the organization; and recommends policies relevant to the threats that such type of business are vulnerable to. The content here is limited to listing...
Words: 3640 - Pages: 15
...the most devastating security breaches can occur during employee termination when steps are not taken to remove access to resources in a timely manner. HIPAA guidelines specify that when employees are terminated, that certain steps, at a minimum, must be followed. These include changing locks, removal from access lists, removal of user account, and confiscation of keys, tokens and other access cards. Though these steps may seem to be common sense, some organizations may not have documented procedures to follow when an employee is terminated. Additionally, the responsibility for carrying out the termination procedures must be clearly assigned and documented (SANS Institute, 2001). Security Training In order for a security program to work well, the employees must be educated insecurity practices such as password protection, monitoring login failures and other basic practices. A well-educated workforce can become an extension of the security group of any organization through simple awareness. The HIPAA regulations require a Security Awareness training program that includes: awareness training for all personnel, security reminders to the workforce, virus...
Words: 1211 - Pages: 5
...standard field issue to every soldier, complete with combat-focused applications [1]. However, smartphones and tablets raise new security issues. They are more likely to be lost or stolen, exposing sensitive data. Malware risks are increased because they connect to the Internet directly rather than from behind corporate firewalls and intrusion-protection systems. Security of mobile devices focuses on controlling access through the use of device locks and hardware data encryption. While this may be sufficient for individual users, it is insufficient for defense needs. Many documented examples exist of hacking of the device lock, as well as defeats of the hardware-level encryption. Once the device is unlocked, there is generally unfettered access to all apps and their associated data. Military applications require additional application-level access controls to provide data security. Unfortunately, there are gaps in the application-level security model of the two predominant mobile operating systems: iOS from Apple and Google Android. Our ongoing research1 looks to address these gaps by developing innovative approaches for fine-grained data protection and access control, taking into account mobile device usage patterns, device characteristics, and usability. Mobile Applications Security Threat Vectors Many threat vectors for infecting personal computers arise from social-engineering attacks that bypass anti-virus defenses. Similar techniques are used in the smartphone and tablet...
Words: 4009 - Pages: 17
...Briefly discuss the background of GDI. b. Also, discuss about the given problem of the IT security, infrastructure, cost, etc. II. Discuss the important assets of the company that need protection c. Asset identification: “Identity and quantify the company’s assets” (Meyers, 2009, p. 215) i. Important assets include: 1. Computer network equipment (Meyers, 2009, p. 215) 2. Data (Meyers, 2009, p. 215) 3. Servers, printers 4. Routers, firewalls, switches, wireless devices, etc. d. Access control methods: sensitivity, integrity, availability (Meyers, 2009, p. 157). e. Risk and threat assessment: “Identify and access the possible security vulnerabilities and threats” (Meyers, 2009, p. 215). f. Identify solutions and countermeasures: “Identify a cost-effective solution to protect assets” (Meyers, 2009, p. 215). III. Security architecture for the company g. “The IT department should always have current diagrams of your overall network architecture on hand” (Meyers, 2009, p. 381). IV. A list of 20-30 possible policies that could be applied to this situation h. User Account Policy (Meyers, 2009, p. 170) i. Audit Security Policy (SANS) j. Email Security Policy (SANS)...
Words: 573 - Pages: 3
...Running head: RIORDAN MANUFACTURING PHYSICAL LAYOUT AND NETWORK Riordan Manufacturing Physical Layout and Network Security Nadja Marava, Russell Elder, Roman Silva, and Logan Pickels University Of Phoenix CMGT 441 Introduction to Information Security Management Jude Bowman September 3, 2012 Riordan Manufacturing Physical Layout and Network Security As can be seen on the Intranet Website, Riordan currently operates four manufacturing plants; three located in the United States (San Jose, California; Pontiac, Michigan; and Albany, Georgia) and one overseas (Hang Zhou, China). Each plant contains the same basic departments, to include Sales and Marketing, Operations, Finance and Accounting, Information Technology (IT), Legal, and Human Resources. The problem; however, lies in all four plants Sales and Marketing, Operations, Finance and Accounting, and Human Resources departments, which have outdated and unconsolidated systems. China Physical Layout One location is China. The Wide Area Network being used has three T1 connections in the United States and a Satellite connection in China. This paper is used for determining the architecture for the Riordan WAN and then research what possible security measures can be taken to reduce Vulnerabilities. The Layout is below: • Ethernet Backbone 1G • Windows Exchange server Email • Windows Network server Domain controller • Unix Server for ERP/MRP Customer and Vendor Relations • Linksys Wireless Router ...
Words: 3147 - Pages: 13
...16 May 2011 Standards and Legal Issues By Thomas Groshong An audit of the Electronic Health Record (EHR) system reveals a lack of basic policies and standards to protect EHR data from misuse, abuse or theft. The He a l t h I n s u r a n c e P o r t a b i l i t y a n d Accountability Act (HIPAA) require protection of EHR data and basic security guidance to adequately safeguard this data from threats of misuse and/or t h e f t . T h o m a s J . S m e d i n g h o f f q u o t e s H P A A l a w 42 USC Section 1320d-2(d)(2) t h a t establishes three basic security principles “maintain reasonable and appropriate administrative, technical, and physical safeguard”. (Smedinghoff, T. (2008)) A r e a s o n a b l e a t t e m p t to provide safeguards and follow excepted standards for security can be found in the HIPAA Security Guidance, National Institute of Standards and Technologies (NIST) documents, and the SANS Institute policies. The security goal is to provide confidentiality, integrity, and availability of EHR i n f o r m a t i o n . (Smedinghoff, T. (2008)) The policies created below are to address weaknesses in the current system and provide direction on how to meet industry standards and legal requirements. A. Create three organizational policy statements: HIPAA suggests a three prone approach; physical security, technical security, and administrative security. This document will cover organizational policies for each of the three categories based on best practices...
Words: 1128 - Pages: 5
...16 May 2011 Standards and Legal Issues By Thomas Groshong An audit of the Electronic Health Record (EHR) system reveals a lack of basic policies and standards to protect EHR data from misuse, abuse or theft. The He a l t h I n s u r a n c e P o r t a b i l i t y a n d Accountability Act (HIPAA) require protection of EHR data and basic security guidance to adequately safeguard this data from threats of misuse and/or t h e f t . T h o m a s J . S m e d i n g h o f f q u o t e s H P A A l a w 42 USC Section 1320d-2(d)(2) t h a t establishes three basic security principles “maintain reasonable and appropriate administrative, technical, and physical safeguard”. (Smedinghoff, T. (2008)) A r e a s o n a b l e a t t e m p t to provide safeguards and follow excepted standards for security can be found in the HIPAA Security Guidance, National Institute of Standards and Technologies (NIST) documents, and the SANS Institute policies. The security goal is to provide confidentiality, integrity, and availability of EHR i n f o r m a t i o n . (Smedinghoff, T. (2008)) The policies created below are to address weaknesses in the current system and provide direction on how to meet industry standards and legal requirements. A. Create three organizational policy statements: HIPAA suggests a three prone approach; physical security, technical security, and administrative security. This document will cover...
Words: 1128 - Pages: 5
...Router/ Switch Operating System Cisco IOS or Inter-work Operating System is an operating system for the company Cisco’s system routers and network switches. Cisco systems is a multinational corporation based in San Jose of California that designs, manufactures, and sells networking equipment. The company was founded in 1984 by two people working at Stanford University on the computer support staff. The two Stanford University members were Leonard Bosack, who was in charge of the computer science department’s computers and his then girl friend Sandy Lerner who was in charge of the graduate school of business’s computers and they named it after San Francisco which is why in the company’s early years they insisted on the first “c” in cisco being not capitalized. Cisco IOS is the operating system used for their products and I will go over the history and tech specifications of this operating system. The Cisco IOS was first based off of Stanford University’s multiple protocol router software which was written by William Yeager a Stanford Research Engineer while at Stanford Medical School. Cisco IOS is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system. Cisco IOS is versioned using three numbers and a few letters in the general form of a.b(c.d)e with a being the major version number and b is the minor version number, c is the release number, and d is the interim build number omitted from general...
Words: 1061 - Pages: 5
...Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Mobile Device Forensics Copyright SANS Institute Author Retains Full Rights AD© SANS Institute 2009, Author retains full rights. © SANS Institute 200 9, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Mobile Device Forensics Mobile Device Forensics GCFA Gold Certification Author: Andrew Martin andrew@martinsecurity.net http://www.martinsecurity.net Advisor: Joey Niem Accepted – August 29, 2008 Andrew Martin 1© SANS Institute 2009, Author retains full rights. © SANS Institute 200 9, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Mobile Device Forensics Table of Contents Abstract......................................................................................................................... 4 Devices............................................................................................................................ 5 Tools – General......................................................................................................... 5 Motorola Razr V3C.................................................................................................... 7 Scenario.......................................................................
Words: 11661 - Pages: 47
